BlackCat Malware (AKA ALPHV)

What Is BlackCat Malware?

First detected in November 2021, BlackCat (AKA ALPHV, Noberus) is regarded as one of the most sophisticated and threatening malware strains of 2021 and 2022. However, BlackCat’s blitz campaign peaked in late-2022 with a 28 percent drop in recorded infections. 

BlackCat is the first prominent malware written in the Rust programming language, a new language whose popularity is increasing due to its high performance and memory safety. BlackCat also boasts another capability: it can compromise Windows- and Linux-based operating systems.

BlackCat is operated as a ransomware-as-a-service (RaaS) by ALPHV, a Russian-speaking group of cybercrime actors. Its campaigns often employ a triple-extortion tactic: making individual ransom demands for the decryption of infected files; for not publishing stolen data; and for not launching denial of service (DoS) attacks. Having compromised roughly 200 enterprise organizations between November 2021 and September 2022, BlackCat has most often targeted companies in the financial, manufacturing, legal, and professional services industries—but BlackCat’s exploits span all industries.

BlackCat is related to ransomware variants BlackMatter and DarkSide regarding its source code and users. BlackCat operators advertise the ransomware to potential affiliates in private forums, such as the darknet forums XSS, Exploit Forum, and RAMP5, where they look for new cybercriminals to join their ranks.

The first stage of BlackCat attacks relies on phished, brute-forced, and illicitly purchased credentials—typically for Remote Desktop Protocol (RDP) connections and Virtual Private Network (VPN) services—as well as vulnerabilities published as CVEs (such as CVE-2019-7481). 

The second stage of an BlackCat attack typically starts by establishing reverse SSH tunnels to an BlackCat-controlled command-and-control (C2) infrastructure. From there, attacks are fully command-line driven, human-operated, and highly configurable. The prime directive of BlackCat post-infection is lateral movement within the victim’s network using PsExec to attack Active Directory user and administrator accounts and the exfiltration and encryption of sensitive files.

BlackCat’s primary payload is the first known malware written in the “Rust” programming language and can infect both Windows and Linux-based systems. BlackCat is effective against all versions of Windows, from XP and later (including Windows 11), Windows Server versions since 2008, Debian and Ubuntu Linux, ESXI virtualization hypervisor, as well as ReadyNAS and Synology network-attached storage products.

Second-Stage Techniques Used by BlackCat

  • Halting ESXi VMs, and deleting any backup ESX snapshots
  • Using PowerShell to disable Windows Defender or changing its security settings to disable certain features
  • Using PsExec to attack Active Directory user and administrator accounts
  • Installing penetration testing tool CobaltStrike and using it to move laterally to other systems on the same network 
  • Preventing its source code by detecting malware analysis tools such as VM hypervisors and halting its process
  • Using a software tool called Fendr (AKA ExMatter) to exfiltrate .PDF, .DOC, .DOCX, .XLS, .TXT, .BMP, .RDP, .SQL, and .ZIP files, among other file types
  • Deleting Windows shadow copy backups as target files are encrypted
  • Evading malware detection products by changing its binary contents and signature

BlackCat also has a highly modular encryption scheme defined in a JSON configuration file that allows for a unique key to be used for each campaign and has both a multi-threaded process for fast file encryption and multipass AES-128 encryption to deter any decryption attempts. BlackCat also employs intermittent encryption (or partial encryption) to increase encryption efficiency. BlackCat has several configurable encryption modes allowing files to be partially encrypted by specifying the number of bytes to encrypt, a percentage of the file to encrypt, or using a “Smart Pattern” technique—encrypting individual bytes using a modulus offset from the start of the file. The encryption module also includes an “Auto” setting where the encryption mode is selected based on each file’s extension, allowing BlackCat to most efficiently ransom files depending on their contents.

Signs of a BlackCat Attack

Known indicators of compromise (IOC) from BlackCat attacks include file hash signatures, command and control (C2) IP addresses, and domains released by the FBI and other malware analysis reports. Still, they may not be helpful against novel versions of BlackCat that have been compiled with alternate configurations. 

Characteristics that can help distinguish an BlackCat attack include:

  • Appending random extensions to each encrypted file that are unique for each campaign
  • Using a unique ransom note format that distinguishes BlackCat from other ransomware
  • Ransom notes include a link to a unique TOR website that displays evidence of exfiltrated and ransomed data
  • Creating a file called “RECOVER-<random>-NOTES.txt” in each directory that contains ransomed files

How to Prevent a BlackCat Attack

Protecting against BlackCat requires a strong enterprise cybersecurity program, including endpoint security that detects and blocks novel techniques. The following are defensive tactics for mitigating a BlackCat attack:

  • Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
  • Require strong passwords and multi-factor authentication (MFA) for all remote access services and ensure all default passwords are changed
  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
  • Configure email clients to notify users when emails originate from outside the organization
  • Ensure that updates and security patches are applied across the entire IT environment, including security products, operating systems, and applications
  • Monitor network activity for brute force attempts and rate limit authentication attempts for critical services
  • Implement strong network security including least-privilege, segmentation of critical services, role-based access controls, multi-factor authentication, and defense in depth to reduce the potential damage of stolen credentials 
  • Configure the Windows Registry to require User Account (UAC) to limit access to PsExec to prevent its use for lateral movement
  • Develop and maintain a strong backup strategy to ensure resilience against ransomware attacks
  • Configure web servers and APIs with security modules to optimize their performance during a traffic spike and DDOS attacks or purchase DDOS mitigation services from an Internet Service Provider (ISP), Content Delivery Network (CDN), or Web-Application Firewall (WAF) providers
CylancePROTECT® provides automated malware prevention, application and script control, memory protection, and device policy enforcement. This AI-based Endpoint Protection Platform (EPP) blocks cyberattacks and provides controls for safeguarding against sophisticated threats—no human intervention, internet connections, signature files, heuristics, or sandboxes required.